CVE-2026-31234

Name of the Vulnerable Software and Affected Versions Horovod versions prior to 0.28.2

Description The KVStore HTTP server component, used for distributed task coordination, lacks authentication and authorization controls. This allows a remote attacker to write arbitrary data using HTTP PUT requests. When a worker reads this data via HTTP GET, it uses the cloudpickle.loads() function to deserialize the data without verifying its source or integrity. An attacker can send a malicious pickle payload to the server, which, when deserialized by the victim worker, leads to remote code execution.

Recommendations Update to version 0.28.2 or later.